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Abstract. We introduce a simple, practical approach with probabilis- 
tic information-theoretic security to mitigate one of quantum key dis- 
tribution's major limitations: the short maximum transmission distance 
(~ 200 km) possible with present day technology. Our scheme uses clas- 
sical secret sharing techniques to allow secure transmission over long 
distances through a network containing randomly-distributed compro- 
mised nodes. The protocol provides arbitrarily high confidence in the 
security of the protocol, and modest scaling of resource costs with im- 
provement of the security parameter. Although some types of failure are 
undetectable, users can take preemptive measures to make the probabil- 
ity of such failures arbitrarily small. 
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1 Introduction 

Public key cryptography is a critical component of many widely-used 
cryptosystems, and forms the basis for much of our ecommerce transac- 
tion security infrastructure. Unfortunately, the most common public key 
schemes are known to be insecure against quantum computers. In 1994, 
Peter Shor developed a quantum algorithm for efficient factorization and 
discrete logarithms [1]; the (supposed) hardness of these two problems 
formed the basis for RSA and DSA, respectively. Sufficiently powerful 
quantum computers do not yet exist, but the possibility of their existence 
in the future already poses problems for those with significant forward 
security requirements. 

A more secure replacement for public key cryptography is needed. 
Ideally, this replacement would offer information-theoretic security, and 
would possess most or all of the favorable qualities of public key cryp- 
tography. At present, no complete replacement exists, but quantum key 



distribution (QKD) — in conjunction with one-time pad (OTP) or other 
symmetric ciphers — appears promising. 

QKD — first developed by Bennett and Brassard [2] — is a key distri- 
bution scheme that relies upon the uncertainty principle of quantum me- 
chanics to guarantee that any eavesdropping attempts will be detected. In 
a typical QKD setup, individual photons are sent through optical fiber or 
through free space from the sender to the receiver. The receiver performs 
measurements on the photons, and sender and receiver communicate via 
an authenticated (but not necessarily private) classical channel. 

Optical attenuation of these single photon pulses limits the maxi- 
mum transmission distance for a single QKD link to about 200 km over 
fiber with present technology [3], and significantly less through air. Un- 
like optically-encoded classical information, the "signal strength" of these 
photons cannot be amplified using a conventional optical amplifier; the 
No Cloning Theorem [4] prohibits this. We refer to this challenge as the 
relay problem. 

Two classes of quantum repeaters have been proposed to resolve the 
distance limitations of QKD. The first makes use of quantum error cor- 
rection to detect and rectify errors in specially-encoded pulses. Unfortu- 
nately, the extremely low error thresholds for such schemes (~ 10~ 4 ) make 
this impractical for use in a realistic quantum repeater. The second class 
of quantum repeaters uses entanglement swapping and distillation [5, 6] 
to establish entanglement between the endpoints of a chain of quantum 
repeaters, which can then be used for QKD [7]. This method is much more 
tolerant of errors, and offers resource costs that scale only polynomially 
with the number of repeaters (i.e., polynomially with distance). How- 
ever, such repeaters do have one major drawback: they require quantum 
memories with long decoherence times [6]. 

In order to be useful for practical operation, a quantum repeater must 
possess a quantum memory that meets the following three requirements: 

1. Long coherence times: at a minimum, coherence times must be compa- 
rable to the transit distance for the entire repeater chain (e.g., ~ 10 ms 
for a trans- Atlantic link). 

2. High storage density: the bandwidth for a quantum repeater is limited 
by the ratio of its quantum memory capacity to the transit time for 
the entire repeater chain [8]. 

3. Robustness in extreme environments: practical quantum repeaters 
must be able to operate in the range of environments to which tele- 
com equipment is exposed (e.g., on the ocean floor, in the case of a 
trans-oceanic link). 



These requirements are so demanding that it is possible that practical 
quantum repeaters will not be widely available until after large-scale 
quantum computers have been built — in other words, not until too late. 

The distance limitations of QKD and the issues involved in devel- 
oping practical quantum repeaters make it challenging to build secure 
QKD networks that span a large geographic area. The naive solution of 
classical repeaters leads to exponentially decaying security with transmis- 
sion distance if each repeater has some independent probability of being 
compromised. If large QKD networks are to be built in the near future 
(i.e., without quantum repeaters), an alternative method of addressing 
the single-hop distance limitation must be found. We refer to this as the 
relay problem. 

Given an adversary that controls a randomly-determined subset of 
nodes in the network, we have developed a solution to the relay prob- 
lem that involves encoding encryption keys into multiple pieces using a 
secret sharing protocol [9, 10] . These shares are transmitted via multi- 
ple multi-hop paths through a QKD network, from origin to destination. 
Through the use of a distributed re-randomization protocol at each inter- 
mediate stage, privacy is maintained even if the attacker controls a large, 
randomly-selected subset of all the nodes. 

We note that authenticated QKD is information-theoretic secure [11], 
as is OTP; in combination, these two cryptographic primitives provide 
information-theoretic security on the level of an individual link. Our pro- 
tocol makes use of many such links as part of a network that provides 
information-theoretic security with very high probability. In particular, 
with some very small probability 5, the protocol fails in such a way as 
to allow a sufficiently powerful adversary to perform undetected man- 
in-the-middle (MITM) attacks. The failure probability 5 can be made 
arbitrarily small by modest increases in resource usage. In all other cases, 
the network is secure. We describe the level of security of our protocol as 
probabilistic information-theoretic. 

In analyzing our protocol, we consider a network composed of a chain 
of "cities" , where each city contains several parties, all of whom are linked 
to all the other parties in that city. We assume intracity bandwidth is 
cheap, whereas intercity bandwidth is expensive; intercity bandwidth us- 
age is the main resource considered in our scaling analysis. For the sake 
of simplicity, we consider communication between two parties (Alice and 
Bob) who are assumed to be at either end of the chain of cities. A similar 
analysis would apply to communication between parties at any interme- 
diate points in the network. 



2 Adversary and Network Model 

It is convenient to model networks with properties similar to those de- 
scribed above by using undirected graphs, where each vertex represents 
a node or party participating in the network, and each edge represents a 
secure authenticated private channel. Such a channel could be generated 
by using QKD in conjunction with a shared secret key for authentication, 
or by any other means providing information-theoretic security 

We describe below an adversary and network model similar in some 
ways to one we proposed earlier 3 in the context of a protocol for authenti- 
cating mutual strangers in a very large QKD network, which we referred 
to as the stranger authentication protocol. In that protocol, edges rep- 
resented shared secret keys, whereas here they represent physical QKD 
links. Network structure in the previous model was assumed to be random 
(possibly with a power law distribution, as is common in social networks), 
whereas here the network has a specific topology dictated by geographic 
constraints, the distance limitations of QKD, and the requirements of the 
protocol. 

2.1 Adversarial Capabilities and Limitations 

We call the following adversary model the sneaky supercomputer: 

(i) The adversary is computationally unbounded. 

(ii) The adversary can listen to, intercept, and alter any message on any 
public channel. 

(iii) The adversary can compromise a randomly-selected subset of the 
nodes in the network. Compromised nodes are assumed to be under 
the complete control of the adversary. The total fraction of compro- 
mised nodes is limited to (1 — t) or less. 

Such an adversary is very powerful, and can successfully perform 
MITM attacks against public key cryptosystems (using the first capa- 
bility) and against unauthenticated QKD (using the second capability), 
but not against a QKD link between two uncompromised nodes that 
share a secret key for authentication (since quantum mechanics allows 
the eavesdropping to be detected) [11]. The adversary can always per- 
form denial-of-service (DOS) attacks by simply destroying all transmitted 
information; since DOS attacks cannot be prevented in this adversarial 
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scenario, we concern ourselves primarily with security against MITM at- 
tacks. Later, we will briefly consider variants of this adversarial model 
and limited DOS attacks. 

The third capability in this adversarial model — the adversary's control 
of a random subset of nodes — simulates a network in which exploitable 
vulnerabilities are present on some nodes but not others. As a first ap- 
proximation to modeling a real-world network, it is reasonable to assume 
the vulnerable nodes are randomly distributed throughout the network. 

An essentially equivalent adversarial model is achieved if we replace 
the third capability as follows: suppose the adversary can attempt to 
compromise any node, but a compromise attempt succeeds only with 
probability (1 — t), and the adversary can make no more than one attempt 
per node. In the worst case where the adversary attempts to compromise 
all nodes, the adversary will control a random subset of all nodes, with 
the fraction of compromised nodes being roughly (1 — t). 

2.2 The Network 

For the relay problem, let us represent the network as a graph G, with V{G) 
being the set of vertices (nodes participating in the network) and E{G) 
being the set of edges (secure authenticated channels, e.g. QKD links be- 
tween parties who share secret keys for authentication). N = |^(G)| is 
the number of vertices (nodes). is the set of compromised nodes, which 
are assumed to be under the adversary's control; \ Vd\ < N(l—t). Further- 
more, let us assume that the network has the following structure: nodes 
are grouped into m clusters — completely connected sub-graphs contain- 
ing n nodes each. There are thus N = mn nodes in the network. We label 
the nodes as Vij, i £ {1, . . . , n}, j £ {1, . . . , m}. Each node is connected 
to one node in the immediately preceding cluster and one node in the 
cluster immediately following it. 

More formally, let En(G) = {(vij,Vij + i) : Vij,Vij + \ € V(G)} and 
E a (G) = {(v id ,v kJ ) : v id ,v kJ € V(G)}. Then, E(G) = E e (G) U E a (G). 

This network structure models a chain of m cities (a term which we use 
interchangeably with "cluster"), each containing n nodes. The cities are 
spaced such that the physical distance between cities allows QKD links 
only between adjacent cities. To realistically model the costs of commu- 
nication bandwidth, we assume that use of long distance links (i.e., those 
represented by Eg(G)) is expensive, whereas intracity links (i.e., E a {G)) 
are cheap. 

Next, we consider two additional nodes — a sender and a receiver. The 
sender (hereafter referred to as Alice or simply A) has direct links to all 



the nodes in city 1, while the receiver (Bob, or B) has a link to all nodes 
in city m. We assume Alice and Bob to be uncompromised. An example 
is shown in Fig. 1. 

3 The Relay Protocol 

In the relay problem, Alice wishes to communicate with Bob over a dis- 
tance longer than that possible with a single QKD link, with quantum 
repeaters being unavailable. As described above, Alice and Bob are sep- 
arated by m "cities", each containing n participating nodes. (In the case 
where different cities contain different numbers of participating nodes, we 
obtain a lower bound on security by taking n to be the minimum over all 
cities.) 




Fig. 1. White vertices represent honest parties, whereas shaded vertices represent dis- 
honest parties. Double vertical lines represent secure communication links between all 
joined vertices (i.e., all parties within a given city can communicate securely). In the 
graph shown above, 40% of the parties in cities between Alice and Bob are dishonest, 
but Alice and Bob can still communicate securely using the method described in Sec. 
3 and Fig. 2. 

To achieve both good security and low intercity bandwidth usage, we 
can employ a basic secret sharing scheme with a distributed re-randomization 
of the shares [12] performed by the parties in each city. This re-randomization 
procedure is similar to that used in the mobile adversary proactive secret 
sharing scheme [13, 14]. Note that in the following protocol description, 
the second subscript labels the city, while the first subscript refers to the 
particular party within a city. 

(i) Alice generates n random strings r{ 7 o,i £ {l,...,n} of length £, 
r 6 {0, 1} . I is chosen as described in Sec. 3.1. 



(ii) Alice transmits the strings to the corresponding parties in the first 
city: Vi t i receives r^o- 

(iii) When a party Vij receives a string rij-i, it generates n— \ random 
strings qf^ , k ^ i of length £, and transmits each string to party 
Vkj (i.e., transmission along the vertical double lines shown in Fig. 

1)' 

(iv) Each party Vij generates a string r^j as follows: 

n, 3 - ry-! e ( q m © ( s g> 

\k,k^=i ) \k,k^=i 

where the symbols (© and 0) are both understood to mean bitwise 
XOR. Note that the string rij-i is received from a party in the 
previous city, the strings qf^ are generated by the party Vij, and 

(i) 

the strings q k ■ are generated by other parties in the same city as Vij. 
The string r^j is then transmitted to party "Vjj+i (i.e., transmission 
along the horizontal lines shown in Fig. 1). 

(v) Steps (iii) and (iv) are repeated until the strings reach the parties 
in city m. All the parties Vi^ m in city ui forward the strings they 
receive to Bob. 

(vi) Alice constructs s = n» r «,o and Bob constructs s' = FJj r i,j-i- 

(vii) Alice and Bob use the protocol summarized in Fig. 2 and described 
in detail in Section 3.1 to determine if s = s'. If so, they are left with 
a portion of s (identified as S3), which is their shared secret key. If 
s 7^ s', Alice and Bob discard s and s' and repeat the protocol. 



3.1 Key Verification 

In the last step of the protocol described above, Alice and Bob must 
verify that their respective keys, s and s' , are the same and have not 
been tampered with. We note that there are many ways 4 to accomplish 
this; we present one possible method here (summarized in Fig. 2) for 
definiteness, but make no claims as to its efficiency 

We consider Alice's key s to be composed of three substrings, si, S2, 
and S3, with lengths £±, £2, and £3, respectively (typically, £3 3> £1,^2)- 
Bob's key s' is similarly divided into s[, s' 2 , and s' 3 . If Alice and Bob 
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Fig. 2. Alice and Bob perform a verification sub- protocol to check that their respective 
secret keys, s = (si,S2,S3) and s' = (s'i, s' 2 , s 3 ), are in fact the same. Alice generates 
a random number r, concatenates it with the hash #[33] of S3, XORs this with si, 
and sends the result to Bob. Bob decodes with s[, verifies that if [as] = H[s' 3 ], then 
sends back to Alice the result of bit-wise XORing the hash of r, H[r], with s' 2 . Finally, 
Alice decodes with s 2 and checks to see that the value Bob has computed for H[r] is 
correct. Alice and Bob now know S3 = S3 and can store S3 for future use. Note that 
with this protocol, the adversary can fool Alice and Bob into accepting s/s' with 100 
% probability if the adversary knows s and s'. 

successfully verify that S3 = S3, they can use S3 as a shared secret key for 
OTP encryption or other cryptographic purposes. 
The verification is accomplished as follows: 

(i) Alice generates a random nonce r, and computes the hash -ff [S3] of 
s3. She then sends (r, #[53]) © si to Bob. 

(ii) Bob receives the message from Alice, decrypts by XORing with s' l5 
and verifies that the received value of -#[33] matches i?[s 3 ]. If so, he 
accepts the key, and sends Alice the message H[r] © s' 2 . If not, Bob 
aborts. 

(iii) Alice decrypts Bob's message by XORing with S2, and verifies that 
the received value of H[r] is correct. If so, Alice accepts the key, and 
verification is successful. If not, Alice aborts. 

We now outline a proof of the security of this verification process, and 
discuss requirements for the hash function H. We begin with the assump- 
tion that Eve does not know s or s ; if she does, the relay protocol has 
failed, and Eve can perform MITM attacks without detection (conditions 
under which the relay protocol can fail are analyzed in Sec. 4). Our goal 
is to show that Alice and Bob will with very high probability detect any 
attempt by Eve to introduce errors in s' 3 (i.e., any attempt by Eve to 
cause s 3 7^ S3), and that the verification process will also not reveal any 
information about S3 to Eve. 

We note that any modification by Eve of the messages exchanged 
by Alice and Bob during the verification process is equivalent to Eve 



introducing errors in s'i and s 2 during the main part of the relay protocol. 
If she controls at least one intermediate node, Eve can introduce such 
errors by modifying one or more of the strings transmitted by a node 
under her control. We can thus completely describe Eve's attack on the 
protocol by a string e = (ei, e2,e 3 ), where s' = s © e, and the three 
substrings e±, e 2 , and have lengths £±, £2, and £3, respectively (with 

e = £i + e 2 + e 3 ). 

It is clear that Eve cannot gain any information about S3 from the 
verification process, since the only information ever transmitted about S3 
(the hash #[33]) is encrypted by the OTP si, and si is never re-used. 

Before proceeding, let us further partition s\ into two strings s± a and 
su, where s\ a is the portion of s\ used to encrypt r, and su, is the portion 
used to encrypt i?[s3]. Let £\ a and £\b be the lengths of s± a and su- We 
similarly partition s^ and e\. 

Eve's only hope of fooling Bob into accepting a tampered-with key 
(i.e., accepting even though s' 3 / S3) is for her to choose en, and e% such 
that the expression H[ss] ©i? [S3 ©63] = eu is satisfied. Random guessing 
will give her a ~ 2~ llb chance of tricking Bob into accepting; for Eve to 
do better, she must be able to exploit a weakness in the hash function H 
that gives her some information as to the correct value of en, for some 
choice of e%. Note that Eve's best strategy for this attack is to choose e\ a 
and e2 to be just strings of zeroes. 

From this observation, we obtain the following condition on the hash 
function: for a random S3 (unknown to Eve), there exists no choice of 
e3 such that Eve has any information about the value of ei& she should 
choose to satisfy H[s 3 ] © H[sz © 63] = en,. In practice, it would be ac- 
ceptable for Eve to gain a very small amount of information, as long as 
the information gained did not raise Eve's chances much beyond random 
guessing. This is a relatively weak requirement on H, and is likely satisfied 
by any reasonable choice of hash function. 

To fool Alice into falsely accepting, Eve can either fool Bob via the 
aforementioned method, or Eve can attempt to impersonate Bob by send- 
ing Alice a random string of length £2, in the hopes that it happens to 
be equal to S2 © H[r]. Clearly, her chances for the latter method are no 
better than 2~ f ~ 2 . The latter method of attack only fools Alice and not 
Bob; it is thus of limited use to Eve. 

We note that the security of the verification protocol depends on the 
choice of £\ and £2 (as described above); these parameters should be cho- 
sen so as to provide whatever degree of security is required. Alice and Bob 
choose £3 so as to obtain whatever size key they desire. Since the security 



of the verification process does not depend on £3, the communication cost 
of key verification is negligible in the limit of large £3 (i.e., in the limit of 
large final key size). 



4 Security of the Relay Protocol 

In order for the secret to be compromised, there must be some j £ 
{1, . . . , m — 1} such that, for all i G {1, . . . , n}, at least one of Vij and 
Vjj+i is dishonest (i.e., such that, for some j, every string r^j is either 
sent or received by a compromised party). If this happens, we say the 
protocol has been compromised at stage j. For a given j, the probability 
of compromise is (1 — t 2 ) n , but the probability for j is not entirely inde- 
pendent of the probabilities for j — 1 and j + 1. Thus, we can bound from 
below the overall probability of the channel between Alice and Bob being 
secure, p s , by (1): 



Ps > 



l-(l-t 2 ) n . (1) 



From this result, we see that, if we wish to ensure our probability of 
a secure channel between Alice and Bob is at least p s , it is sufficient 
to choose n = log ^1 — pl^ m ^ / log (l — t 2 ). Intercity bandwidth con- 
sumed is proportional to n, so we see that we have good scaling of resource 
consumption with communication distance. Alternatively, we can re-write 
the equation for choosing n in terms of a maximum allowed probability 
of compromise, 8 = 1 — p s . For 5 <C 1, we obtain the following relation: 

log (m — 1) — log 5 

Ti ~ 

- -log(l- t 2) • 

Total resource usage (intercity communication links required) scales as 
0(mn), or O(mlogm) for fixed S, t. While intracity communication re- 
quirements scale faster (as 0(mn 2 )), it is reasonable to ignore this because 
of the comparatively low cost of intracity communication and the finite 
size of the earth (which effectively limits m to a maximum of 100 or so 
for a QKD network with single link distances of ~ 100 km). 

If each party in the network simultaneously wished to communicate 
with one other party (with that party assumed to be m/2 cities away on 
average), total intercity bandwidth would scale as 0(m 2 n 2 ). By compari- 
son, the bandwidth for a network of the same number of parties employing 
public key cryptography (and no secret sharing) would scale as 0(m 2 n). 
Since n scales relatively slowly (i.e., with logm), this is a reasonable 
penalty to pay for improved security. 



5 Alternative Adversary Models 

We now briefly consider a number of alternative adversary models. First, 
let us consider replacing adversary capability (iii) with the following al- 
ternative, which we term (iii') : the adversary can compromise up to k — 1 
nodes of its choice. Compromised nodes are assumed to be under the 
complete control of the adversary, as before. In this scenario, the security 
analysis is trivial. If k > n, the adversary can compromise Alice and Bob's 
communications undetected. Otherwise, Alice and Bob can communicate 
securely. 

We could also imagine an adversary controls some random subset 
of nodes in the network — as described by (iii) — and wishes to disrupt 
communications between Alice and Bob (i.e., perform a DOS attack), but 
does not have the capability to disrupt or modify public channels. Alice 
and Bob can modify the protocol to simultaneously protect against both 
this type of attack and also the adversary mentioned in Section 2.1. To do 
so, they replace the simple secret sharing scheme described above with a 
Proactive Verifiable Secret Sharing (PVSS) scheme [16]. In this scenario, 
nodes can check at each stage to see if any shares have been corrupted, 
and take corrective measures. This process is robust against up to n/4 — 1 
corrupt shares, which implies that PVSS yields little protection against 
DOS attacks unless t > tthresh ~ v / 3/2. 

6 Conclusion 

We have shown a protocol for solving the relay problem and building se- 
cure long-distance communication networks with present-day QKD tech- 
nology. The protocol proposed employs secret sharing and multiple paths 
through a network of partially-trusted nodes. Through the choice of mod- 
erately large n in the relay problem, one can make the possibility of com- 
promise vanishingly small. For fixed probability of compromise of each of 
the intermediate nodes, the number of nodes per stage required to main- 
tain security scales only logarithmically with the number of stages (i.e., 
with distance). 

Given that QKD systems are already commercially available, our 
methods could be implemented today. 
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